MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
My fork of airsonic with experimental fixes and improvements. See branch "custom"
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
682 Commits
2 Branches
0 Tags
85 MiB
 
 
 
Tag: Branch: Tree: dbd2a738eb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dbd2a738eb'
${ noResults }
airsonic-custom/airsonic-main/cve-suppressed.xml

117 lines
4.9 KiB
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-2808</cve>
</suppress>
<suppress>
<notes><![CDATA[RC4 vulnerability in ssl. We don't use ssl at the application container level]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2013-2566</cve>
</suppress>
<suppress>
<notes>
<![CDATA[This is for ruby - not for java and besides we don't allow user supplied information in emails]]></notes>
<gav regex="true">^.*$</gav>
<cve>CVE-2015-9097</cve>
</suppress>
<!-- This is for the oracle/glassfish application server implementation, not the api. -->
<suppress>
<notes><![CDATA[file name: javax.servlet.jsp-api-2.3.1.jar]]></notes>
<gav regex="true">^javax\.servlet\.jsp:javax\.servlet\.jsp-api:.*$</gav>
<cve>CVE-2011-5035</cve>
</suppress>
<!-- For drupal, so doesn't apply to us -->
<suppress>
<notes><![CDATA[file name: validation-api-1.1.0.Final.jar]]></notes>
<gav regex="true">^javax\.validation:validation-api:.*$</gav>
<cve>CVE-2013-4499</cve>
</suppress>
<!-- This seems to pick up many false positives for the server component which we have no control over -->
<suppress>
<notes><![CDATA[file name: mysql-connector-java-5.1.43.jar]]></notes>
<gav regex="true">^mysql:mysql-connector-java:.*$</gav>
<cpe regex="true">.*</cpe>
</suppress>
<!-- Jetty is currently only used for developer experimentation -->
<suppress>
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.jetty\.toolchain:jetty-schemas:.*$</gav>
<cve>CVE-2017-9735</cve>
</suppress>
<!-- No git functionality is used from the following dependencies -->
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2017-14867</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7545</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2015-7082</cve>
</suppress>
<suppress>
<notes><![CDATA[file name: org.eclipse.persistence.core-2.5.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.persistence:org\.eclipse\.persistence\..*$</gav>
<cve>CVE-2010-2542</cve>
</suppress>
<!-- Ignore all false positives for the server component -->
<suppress>
<notes><![CDATA[file name: mariadb-java-client-2.1.0.jar]]></notes>
<gav regex="true">^org\.mariadb\.jdbc:mariadb-java-client:.*$</gav>
<cpe>cpe:/a:mariadb:mariadb</cpe>
</suppress>
<!-- This cve is not for spring ldap, but for typo3 -->
<suppress>
<notes><![CDATA[file name: spring-ldap-core-2.3.1.RELEASE.jar]]></notes>
<gav regex="true">^org\.springframework\.ldap:spring-ldap-core:.*$</gav>
<cve>CVE-2014-6232</cve>
</suppress>
<!-- We do not support https for the embedded tomcat setup -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2017-6056</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-6325</cve>
</suppress>
<!-- This only impacts distro packages, not embedded -->
<suppress>
<notes><![CDATA[file name: tomcat-annotations-api-8.5.23.jar]]></notes>
<gav regex="true">^org\.apache\.tomcat:tomcat-annotations-api:.*$</gav>
<cve>CVE-2016-5425</cve>
</suppress>
<!-- Jetty is currently disabled and not added to the built war -->
<suppress>
<notes><![CDATA[file name: jetty-schemas-3.1.jar]]></notes>
<gav regex="true">^org\.eclipse\.jetty\..*$</gav>
<cpe>cpe:/a:mortbay_jetty:jetty</cpe>
</suppress>
<!--Vulnerabilty lies in Database Clusterscripts-->
<suppress>
<notes><![CDATA[file name: postgresql-42.1.4.jar]]></notes>
<gav regex="true">^org\.postgresql:postgresql:.*$</gav>
<cve>CVE-2017-8806</cve>
</suppress>
</suppressions>